#4 - Switch to POSIX-compliant shell and drop root privileges
Replaced bash with sh for broader compatibility, ensuring scripts work with BusyBox/dash. Updated Dockerfile to use non-root user (UID 1000) and adjusted paths and permissions accordingly. Simplified and streamlined variable checks and logic in build.sh.
This commit is contained in:
parent
9395bf30a3
commit
f777a7197a
2 changed files with 28 additions and 42 deletions
|
|
@ -34,11 +34,14 @@ LABEL \
|
|||
#-----------------------------------------------------------------------------
|
||||
# Copy artefacts & make the wrapper executable
|
||||
#-----------------------------------------------------------------------------
|
||||
COPY build.sh /usr/local/bin/build.sh
|
||||
COPY --chmod=0755 build.sh /bin/build.sh
|
||||
COPY LICENSE /LICENSE
|
||||
RUN chmod +x /usr/local/bin/build.sh
|
||||
RUN chmod +x /bin/build.sh
|
||||
|
||||
# Drop root privileges (UID 1000 exists in the base image)
|
||||
USER 1000
|
||||
|
||||
#-----------------------------------------------------------------------------
|
||||
# Runtime entrypoint
|
||||
#-----------------------------------------------------------------------------
|
||||
ENTRYPOINT ["/usr/local/bin/build.sh"]
|
||||
ENTRYPOINT ["/bin/build.sh"]
|
||||
|
|
|
|||
61
build.sh
61
build.sh
|
|
@ -1,28 +1,17 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
#!/bin/sh
|
||||
# BusyBox/dash-friendly: no “pipefail”, no “[[ … ]]”, no “+=”
|
||||
|
||||
set -eu # BusyBox ash does not support “pipefail”
|
||||
|
||||
###############################################################################
|
||||
# Mandatory variables – abort if not provided
|
||||
###############################################################################
|
||||
if [[ -z "${KANIKO_CONTEXT:-}" ]]; then
|
||||
echo "Error: KANIKO_CONTEXT environment variable is required but not set." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "${GITHUB_REF_NAME:-}" ]]; then
|
||||
echo "Error: GITHUB_REF_NAME environment variable is required but not set." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "${GIT_USERNAME:-}" ]]; then
|
||||
echo "Error: GIT_USERNAME environment variable is required but not set." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "${GIT_PASSWORD:-}" ]]; then
|
||||
echo "Error: GIT_PASSWORD environment variable is required but not set." >&2
|
||||
exit 1
|
||||
fi
|
||||
for var in KANIKO_CONTEXT GITHUB_REF_NAME GIT_USERNAME GIT_PASSWORD; do
|
||||
eval [ -z \"\${$var:-}\" ] && {
|
||||
echo "Error: $var environment variable is required but not set." >&2
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
|
||||
###############################################################################
|
||||
# Optional / defaulted variables
|
||||
|
|
@ -39,7 +28,7 @@ KANIKO_DOCKERFILE="${KANIKO_DOCKERFILE:-./Dockerfile}"
|
|||
# Handle registry authentication (only if credentials are present)
|
||||
###############################################################################
|
||||
AUTH_ENABLED=false
|
||||
if [[ -n "${REGISTRY_USER}" && -n "${REGISTRY_PASS}" ]]; then
|
||||
if [ -n "${REGISTRY_USER}" ] && [ -n "${REGISTRY_PASS}" ]; then
|
||||
echo "Registry credentials supplied – configuring authentication for ${REGISTRY_HOST}"
|
||||
mkdir -p /kaniko/.docker
|
||||
cat > /kaniko/.docker/config.json <<EOF
|
||||
|
|
@ -62,35 +51,29 @@ fi
|
|||
###############################################################################
|
||||
DEST_FLAGS=""
|
||||
|
||||
# Push is only possible if we have BOTH credentials and at least one destination
|
||||
if $AUTH_ENABLED && [[ -n "${KANIKO_DESTINATION// }" ]]; then
|
||||
if $AUTH_ENABLED && [ -n "${KANIKO_DESTINATION## }" ]; then
|
||||
echo "Building list of --destination flags"
|
||||
OLD_IFS="$IFS"; IFS=','
|
||||
|
||||
old_ifs="$IFS"; IFS=','
|
||||
for raw in $KANIKO_DESTINATION; do
|
||||
raw="$(echo "$raw" | xargs)" # trim whitespace
|
||||
expanded="$(eval echo "$raw")" # expand variables
|
||||
[[ -n "$expanded" ]] && DEST_FLAGS+=" --destination=${expanded}"
|
||||
raw=$(echo "$raw" | xargs) # trim
|
||||
expanded=$(eval echo "$raw") # env-var expansion if any
|
||||
[ -n "$expanded" ] && DEST_FLAGS="$DEST_FLAGS --destination=$expanded"
|
||||
done
|
||||
|
||||
IFS="$OLD_IFS"
|
||||
IFS="$old_ifs"
|
||||
echo "Image(s) will be pushed to the registry."
|
||||
else
|
||||
DEST_FLAGS="--no-push"
|
||||
if ! $AUTH_ENABLED; then
|
||||
echo "Image(s) will NOT be pushed because registry credentials are missing."
|
||||
elif [[ -z "${KANIKO_DESTINATION// }" ]]; then
|
||||
echo "KANIKO_DESTINATION not provided – image(s) will be built with --no-push."
|
||||
fi
|
||||
$AUTH_ENABLED || echo "Registry credentials are missing – image(s) will not be pushed."
|
||||
[ -n "${KANIKO_DESTINATION## }" ] || echo "KANIKO_DESTINATION not provided – using --no-push."
|
||||
fi
|
||||
|
||||
echo "Kaniko will be called with: ${DEST_FLAGS}"
|
||||
echo "Kaniko will be called with:${DEST_FLAGS}"
|
||||
|
||||
###############################################################################
|
||||
# Invoke Kaniko
|
||||
###############################################################################
|
||||
/kaniko/executor \
|
||||
exec /kaniko/executor \
|
||||
--verbosity="${KANIKO_VERBOSITY}" \
|
||||
--context="${KANIKO_CONTEXT}#${GITHUB_REF_NAME}" \
|
||||
--dockerfile="${KANIKO_DOCKERFILE}" \
|
||||
${DEST_FLAGS}
|
||||
$DEST_FLAGS
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue